DDoS and Security Reports

We’ve been doing analysis on the DDoS attack and network traffic distribution data some of our Peakflow SP customers are providing and I figured I’d share a bit of a teaser. The data is shared with Arbor via an optional module within Peakflow SP, so if you’re wondering how it’s gathered have a look here.

We’ve got 26 SP deployments participating at the moment (and still growing) and have been archiving attack and traffic data daily for about four months now. Some stats on the data gathered thus far:

• the data is representative of only inter-provider traffic and attack activity (customer and internal attack activity explicitly excluded)
• about .5 Tbps in aggregate
• about 500 routers, 30,000 unique interfaces
• ~126 day collection period
• ramp from 12 to 26 participants during that period
• 120,231 attacks reported (954 attacks/day average)

A daily high of 1991 attacks was observed on 11/8/2006. There are also some discernible drops in aggregate attack activity around Christmas and New Years, perhaps the miscreants were distracted with the holidays?

Lots of interesting information can be gleaned from the data. For example, TCP attacks lead the pack at the moment, followed by ICMP and UDP-based attacks. Of the TCP-based attacks, SYN floods are the most prominent attacks, followed closely by Null and “Christmas tree” attacks.

Attack and routing data is shared via XML, a typical attack fragment looks like this:

This attack was one of the larger attacks observed over the current period, with a maximum packet rate of ~6.2m packets per second. It appears to have been source IP and port spoofed (hence the 0.0.0.0/0 and 0-65535 fields versus something more specific). The SP reporting the attack above observed it ingressing the network via 19 different routers, 52 different interfaces, pretty well distributed. It was a Null TCP attack (no flags) targeting a, umm.., “popular” IRC server (TCP/6667), whose IP has been anonymized here. Not surprisingly, given the scale and distribution of this attack, several of the other participating SPs reported some of the attack flows via their networks as well.

Many other attack and traffic attributes are available, from packet sizes, ports and protocols to detailed Network and Transport Layer attack vectors for each reported attack, to include sources and targets, etc.. Both the specific attacks and data on aggregate, correlated over time will provide some interesting perspective.

If you’ve got thoughts, questions, or comments, ping Craig Labovitz or I. Otherwise, stay tuned, as you’ll be seeing a great deal more analysis of this and related data in the near future…

Popularity: 1% [?]

This entry was posted on Friday, January 26th, 2007 at 12:59 am and is filed under Arbor Networks - DDoS Experts, Botnets, Critical Infrastructure, Forensics, Interesting Research, Netflow. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.